26 July 2024

The new EU AML package wants to improve centralisation, coordination, and risk understanding. Getting members states to align on these points will not be easy.

In mid-June, the full text of the next EU anti-money laundering and counter-terrorism financing (AML/CTF) package was published in the Official Journal. The package comprises a ‘single rulebook’ for Member States, the 6^th AML Directive (AMLD6), and the regulation establishing the European Anti-Money Laundering Authority (AMLA). It represents the latest step in the EU’s journey towards strengthening, and most importantly harmonising, its response to money laundering (ML) and terrorism financing (TF).

The package signals the EU’s intention to push for a greater alignment in its member states’ approach to AML. However, with two countries – Croatia and Bulgaria – on the Financial Action Task Force (FATF)’s grey list, gaps clearly remain in the EU which the new package will need to address, particularly in risk understanding and effective implementation.

The AML Trifecta

The EU AML landscape has been defined as ‘an awkward coexistence of national and supranational features,’ with combinations of supervisory models (from unitary in Spain, to fragmented in Germany or France) which hinder information sharing and cooperation at the national and EU level. Transposition of previous directives has also been patchy. In April this year, the European Commission opened infringement procedures against Ireland, France and Latvia for incorrectly transposing AMLD4 and AMLD5. Scandals involving Germany, Latvia, Malta or Cyprus, also highlight that leaving countries to supervise and enforce on their own, with potentially limited capacities and resources, is not the best way to tackle a transnational threat such as money laundering.

These things considered; the package is a welcome breath of fresh air. The flagship of the attempts towards harmonisation of the EU AML framework is the introduction of the Anti-Money Laundering Authority. Headquartered in Frankfurt and boasting a budget of approximately €400 million, AMLA will directly supervise up to 40 financial institutions that represent a high risk of ML/TF across member states. The Authority will coordinate with national regulators and ensure that supervised entities meet AML/CTF responsibilities, as well as compliance with ‘obligations related to the implementation of targeted financial sanctions’ . It will also publish assessments on EU ML/TF risks every two years, seeking to achieve a more comprehensive understanding of the threats facing the Union, and how they manifest in different member states.

The package also introduces the EU Single Rulebook, a set of harmonised rules for private sector entities operating in the EU. Among the most relevant changes, the scope of the regulation is now expanded to include a larger number of entities, such as crowdfunding platforms, traders in luxury goods, mortgage intermediaries, and professional football clubs and agents.  It also imposes a limit on cash transactions of more than €10,000 and prohibits anonymous crypto-asset wallets, prepaid cards issued in third countries, and passbooks. The rulebook also provides greater clarity on AML systems and controls, such as how to conduct a risk-based approach, ongoing monitoring, and customer due diligence (CDD).

Finally, the package sets the lines for the Union’s latest AML Directive. Among the most significant changes, the sixth AMLD requires member states to conduct a national risk assessment (NRA) within a specific timeframe (four years); it mandates to create cross-border registers containing information on bank accounts and real estate, granting access to the results to obligated entities; and provides guidance on the information that should be included in these registers. It also strengthens the framework of operation of Financial Intelligence Units (FIU), which will now have to provide obliged entities with feedback on the quality of suspicious transaction reports (STRs) once per year.

To regulation and beyond

Beyond the regulatory update, this package stands out in comparison to its predecessors. AMLD4 incorporated the FATF Recommendations by increasing the emphasis on the risk-based approach and being more prescriptive with respects to conducting NRAs and CDD. AMLD5 expanded the scope of the sectors subject to AML supervision and enhanced transparency, as it created central access mechanisms to bank account holder information available to public authorities in the EU.

The new package goes beyond this, as it doubles down on centralisation, coordination, and risk understanding. Previous directives relied heavily on national supervisors. With the establishment of AMLA and the new directive, the EU will take the wheel on supervision of high-risk entities and widen the number of sectors who will be caught in the AML net. Provisions on CDD, ultimate beneficial ownership (UBO), and STRs, which previously had to be transposed into national AML/CTF legislation, will now have direct implementation thanks to the single rulebook, enhancing coordination. Civil society organisations, academia, and journalists are confirmed to have a legitimate interest to access UBO registers alongside authorities by Article 12 of the Directive, overcoming concerns raised by a 2022 ruling by the Court of Justice of the European Union (CJEU) which had led to the suspension of public access to registers in some member states. The obligations for periodic NRAs, FIUs feedback on STRs, and criteria for the most appropriate supervisory response to breaches based on a common assessment of supervised sectors should also level up the understanding of EU ML/TF risks and improve supervision.

While ambitious, these changes will not come without challenges.

First, as for previous directives, the success of this latest iteration will largely depend on how effectively member states transpose and implement most provisions. While it is expected that AMLA will play a coordinating role with national regulators to ensure AML/CTF responsibilities are met, there is no actual mechanism in place – beyond infringement procedures – that can ensure faster compliance.

Second, depending on its setup and staffing, AMLA can be either every supervisor’s dream or a bureaucratic nightmare – a criticism that European authorities are pretty familiar with. AMLA’s proposed size, budget, and remit show – at least on paper – a commitment towards effective supervision. The Authority’s future Chair, whose job posting was recently published (€290,000 per year tax exempt, enough to attract some AML superstar from the private sector?), will need to establish a credible authority and resource it with the right people. This, while ensuring smooth coordination across 27 member states and keeping in check some of the highest-risk financial institutions – a task that that so far national supervisors have struggled with.

Third and last, conducting a thorough national risk assessment requires a full understanding of the money laundering risks a country may face. The new rules mandate periodic NRAs and allow member states to exclude sectors from their national AML regulations if they consider them to be low risk. However, in their latest evaluations by the FATF or its European regional body, MONEYVAL, only five EU member states (Belgium, Italy, Latvia, Luxembourg, Spain) rated as ‘Compliant’ for Recommendation 1 – which requires countries to assess their risks and apply a risk-based approach. This may indicate that EU countries do not have a clear risk understanding nor know how to conduct a threat assessment, and it and does not bode well for future NRAs.

Expanding the scope of the obliged entities may also pose implementation challenges, particularly to those operating in member states with lower capacity, or more complacent, AML regimes. Given the current struggle in supervision and effective enforcement across already regulated sectors, such as lawyers and accountants, across EU members, there is the risk that the divide in AML approaches is only going to grow.

One Package to Supervise Them All

Overall, the new package is an ambitious project that sets the course of the EU AML response for the next five years. Combined with the FATF’s revision of its Assessment Methodology for the next round of mutual evaluations, it establishes new standards with potential ripple effects far beyond EU borders.

Will this be enough to make the EU less attractive to money launderers? Noticeably, the EU has done very little to take care of those among its own that are failing to meet appropriate AML/CTF standards. The Union states that it ‘takes into account the recommendations provided by FATF,’ when listing high-risk jurisdictions with strategic deficiencies in their regimes. However, it steers away from mentioning Bulgaria and Croatia, the latest EU members added to the watchdog’s grey list for AML deficiencies. While some would argue that the EU simply leaves the task of naming and shaming to the FATF, this may not be enough. Especially if the grey listed countries do not fully understand the reasoning behind the grey listing and the risks they face and enable, as previous RUSI reports have found.

Without a coordinated approach at national, EU, and international level, any new package risks of having limited impact. And in a Union which is only as strong as its weakest link, AML deficiencies leave countries prey to money launderers and threat actors alike, reducing the security of the EU as a whole. The EU is now at a critical juncture: either dive deep into past failures, really understand the current threat landscape, and see these reforms through effectively across all member states, or simply add another layer to an already complex regulatory landscape. This new package sets the coordinates for what looks like a promising AML response. However, as it often happens, the true test lies not in the package itself, but in its execution.